ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

An ASA 5510 I'm running as an IPSec gateway is producing lots of log
messages like this:
%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number
Why is this bad, or even worth reporting?
Is the obvious solution ("no logging message 419002") also the correct one?
TIA
Tilman
PS: The CCO Error Message Decoder doesn't even know that message and its
only suggestion is I might have mistyped it.
--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

* Tilman Schmidt wrote:
> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
> messages like this:
>
> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
> outside:10.2.160.51/80 with different initial sequence number
>
> Why is this bad, or even worth reporting?
TCP SYN packets might be lost and resend without modification. That's normal.
TCP SYN packets with different sequence numbers are the way to go for
opening TCP sessions using a spoofed source IP. This is a serious attack.
It's hard to trace the sender, because you can't trust the src IP. So you
have to got the routers backward in order to find the attacker.
In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

0

Lutz

1/31/2008 11:40:15 AM

Lutz Donnerhacke wrote:
> * Tilman Schmidt wrote:
>> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
>> messages like this:
>>
>> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
>> outside:10.2.160.51/80 with different initial sequence number
>>
>> Why is this bad, or even worth reporting?
>
> TCP SYN packets might be lost and resend without modification. That's normal.
>
> TCP SYN packets with different sequence numbers are the way to go for
> opening TCP sessions using a spoofed source IP. This is a serious attack.
> It's hard to trace the sender, because you can't trust the src IP. So you
> have to got the routers backward in order to find the attacker.
>
> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
Hmm. The guy with 192.168.1.100 is me. :-)
The network behind the ASA's inside interface is completely under my
control, with the ASA being the only gateway, so I'm reasonably sure
there's no source IP address spoofing going on.
192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
videoconferencing management software (TMS) and nothing else. It is
certainly running nothing that can be considered as "hacking software".
10.2.160.51 is one of the managed conferencing devices, and these
thingies actually do have a web interface for management, so an access
to its port 80 from my management server is absolutely plausible too.
In sum, this traffic is, with a probability bordering on certainty,
legitimate.
Should I complain to the software manufacturer for violation of RFCs?
Which ones?
Thx
T.
--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

0

Tilman

2/1/2008 5:57:09 PM

* Tilman Schmidt wrote:
> Lutz Donnerhacke wrote:
>> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
>
> Hmm. The guy with 192.168.1.100 is me. :-)
You are an bad guy, arn't you? ;-)
> In sum, this traffic is, with a probability bordering on certainty,
> legitimate.
Capture the network traffic and ask Daniel Rosen in your company to assist
you in debugging it.

0

Lutz

2/4/2008 11:33:28 AM

Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:
> * Tilman Schmidt wrote:
>
>> In sum, this traffic is, with a probability bordering on certainty,
>> legitimate.
>
> Capture the network traffic and ask Daniel Rosen in your company to assist
> you in debugging it.
Sorry, no one with that name on our payroll. I can't help wondering
who you think my company is.
No hint what I should be looking for, so I can go after this myself?
--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

0

Tilman

2/17/2008 12:57:40 AM

* Tilman Schmidt wrote:
> Sorry, no one with that name on our payroll. I can't help wondering
> who you think my company is.
Sorry, I took it from the newsserver you are using.
> No hint what I should be looking for, so I can go after this myself?
You have to go youself or ask your ISP or any other expert to help you.

0

Lutz

2/18/2008 12:07:36 PM

Reply:

Similar Artilces:

IPSec PIX 501In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels,
one of the nodes has been upgraded to an ASA 5510 to increase performance.
I have migrated the config according to the book, and everything is
running fine, but the new ASA is spamming my central log server with
messages like this:
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <asa-client>, ...

%PIX-4-419002: Duplicate TCP SYN ?!?!?!?!?!I'm getting the following messages 7 times a minute from 2 inside addresses
to the same destination host.
%PIX-4-419002: Duplicate TCP SYN from inside-HBG:10.1.0.133/1025 to
outside-HBG:10.12.0.10/4606 with different initial sequence number
The destination host network is a DSL Network on the back side a a Cisco
1700 series VPNd into a PIX. That particular host does not exist.
I've checked the 10.1.0.133 PC and it is sending the packets but i dont know
what process is doing it.
help!!!
...

cisco asa 8.4 + cisco vpn clientexplain that I did not do so. need to arrange a remote connection, for
those who do not know, much has changed in 8.4.
this configuration of the docks from the site cisco.com
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime...

Cisco ASA 5510Hi I need help,
I have the following
1 x dlink dsl router, pppoa connection to outside world.
1 x ASA 5510
1 dlink attached to the asa
1 switch attached to the asa
the inside lan ip range is from 10.xx.xx.xx/24
the interface of the dlink is 10.10.1.1
I would like to permit all traffic inbound and outboud from the dlink
into the asa and out through the lan interface.
Also with NAT and vpn from the dlink to the lan
I have a pppoa conenction BT on the Dlink then on the internal
interface I have the ip address 10.0.0.3.
I can not get anything to go anywhere and do not really know why, I
r...

Cisco ASA 5510Hi I need help,
I have the following
1 x dlink dsl router, pppoa connection to outside world.
1 x ASA 5510
1 dlink attached to the asa
1 switch attached to the asa
the inside lan ip range is from 10.xx.xx.xx/24
the interface of the dlink is 10.10.1.1
I would like to permit all traffic inbound and outboud from the dlink
into the asa and out through the lan interface.
Also with NAT and vpn from the dlink to the lan
I have a pppoa conenction BT on the Dlink then on the internal
interface I have the ip address 10.0.0.3.
I can not get anything to go anywhere and do not really know why, I
r...

Cisco ASA loggingHi,
I have my cisco ASA logging to a syslog server. Is there a way for
the ASA to find resolve the websites that the users are visiting
(instead of IPs, actual DNS names)? Also, is there a way for it to
track the user who is accessing it instead of the workstation and IP?
I do not want to use a proxy if the ASA can do this, and I do not want
to use ISA. I might try Squid on a Linux box if the ASA cannot.
Thanks so much for any advice.
In article <1175011651.804430.20990@y66g2000hsf.googlegroups.com>,
KDawg44 <KDawg44@gmail.com> wrote:
>I have my cisco ASA logging to a sys...

logging on ASA 5510Hi All
I have some problem:
I'd like set logging to my syslog in that way:
notification -> send to local.2 in syslog
now i configure :
logging trap notification, but the traps are send to local4 or with flag
local4. I can't change it to another localx.
thx for clue
best regards
Ted
On Mar 25, 8:22 am, ted <t...@interia.eu> wrote:
> Hi All
>
> I have some problem:
>
> I'd like set logging to my syslog in that way:
>
> notification -> send to local.2 in syslog
>
> now i configure :
> logging trap notification, but the traps are s...

Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDPHi All
I have a customer that has been using a Cisco PIX 506E to Cisco PIX
506E site-to-site VPN tunnel that I set up around 5 years ago. I have
recently purchased a new Cisco ASA 5510 to replace one of the 506s.
When the ASA 5510 is in place, RDP connections across the VPN tunnel
to a terminal server are randomly disconnected. I have swapped the
506E back into production and the connections NEVER drop.
In an effort to troubleshoot, I downgraded the ASA 5510 to v7.23 from
8.0. Problem instantly reoccurred. I have called TAC to confirm the
configuration is correct, which it is.
The other...

Cisco ASA Syslog MessagesWe recently purchased a piece of software that is going to inspect our
syslog log files and alert us based on specific queries. The software
however was not written to read Cisco syslog specifically so we have
to define pretty tightly what we want to alert on. I have been
reviewing the documentation regarding the ASA/PIX syslog format and it
seems helpful except there are so many damn messages and message
types.
Does anyone have any suggestions regarding what things to specifically
look for in the logs. I know this is a very vague question and I know
a lot of it is based on the position and f...

Cisco ASA 5510 and Apple iPhoneI'm trying a couple of weeks to get an IPSEC VPN connection from an
iPhone with the new Apple IPSEC Client to a Cisco ASA 5510. Neither the
ASDM configuration nor a CLI configuration works.
Does anybody have a running config?
Walter Neu a �crit :
> I'm trying a couple of weeks to get an IPSEC VPN connection from an
> iPhone with the new Apple IPSEC Client to a Cisco ASA 5510. Neither the
> ASDM configuration nor a CLI configuration works.
>
> Does anybody have a running config?
Did you buy the mobile license ?
Otherwise the L2TP/IPSec is an alternate solution wh...

Cisco ASA 5510 MSS IssueI have a Cisco ASA 5510 appliance at my corporate office and cisco
1811's at our branch sites. I am troubleshooting some connectivity
issues with a new Exchange server on the network. Troubleshooting as
led me to think that the problem is a fragmentation issue on the
network. When I started looking at the router configs ( 1811 ) i
noticed that the previous network admin had set the default mss size
to 1300, however no one could tell me why this had been done. I have
heard of this being done to resolve some web browsing errors, but I
have removed the setting and no one is complaining. Since...

Cisco ASA 5510 and MPLS VPN ?Hi
Does the Cisco ASA5510 or 5520 can support MPLS VPN / VRF / MPBGP ?
Thanks
Mag
"Mag" <mag@laposte.net> wrote in message
news:49840513$0$18760$426a74cc@news.free.fr...
> Hi
>
> Does the Cisco ASA5510 or 5520 can support MPLS VPN / VRF / MPBGP ?
>
> Thanks
> Mag
Nope, no vrf or bgp support in an ASA. You can however place an ASA in
transparent mode between the ethernet handoff of the MPLS router and the
local LAN. By doing transparent mode you don't have to worry about adding
extra subnets to each location.
...

Cisco ASA 5510 WebVPN SSLI have a Cisco ASA 5510 with WebVPN running.
The user connects with name and password and it downloads the WebVPN
SSL client. (we do not used the full VPN Client as the webvpn allows
connection from any PC without any client configuration).
Well not quite any PC. It all fails on 64bit OS, 64bit vista or 64bit
2003.
How do I get around this? (other than using 32 bit os). Thanks
spacemancw wrote:
> Well not quite any PC. It all fails on 64bit OS, 64bit vista or 64bit
> 2003. How do I get around this? (other than using 32 bit os). Thanks
Someone's compiled vpnc for Windows and bun...